Scenario Overview:
Organizations experiencing frequent mergers and acquisitions (M&A) often operate in a persistent multi-tenant environment. While Microsoft Intune does not support natively multi-tenant organization (MTO) management, companies must adopt a hybrid and transitional approach.

Microsoft strongly encourages tenant consolidation as the end goal.

To support that, Microsoft provides strategic and technical guidance for tenant-to-tenant migrations, which should be the primary target over the long term. Where immediate consolidation is not feasible, best practices can be applied to manage coexistence.

Microsoft 365 Tenant Consolidation Strategy

Reference Microsoft’s official guide: Microsoft 365 Tenant-to-Tenant Migrations

• Focuses on mailbox, SharePoint, OneDrive, Teams, and identity migration.


• Provides planning tools, timelines, and license considerations.


• Essential for reducing long-term complexity and licensing overhead.

Use this as the north star for IT integration post-M&A.

Intune Multi-tenant Organization Strategy

1. Anchor Tenant Strategy

• Designate one tenant as the anchor for central IT governance.


• All new devices should be joined to this anchor tenant (via Entra ID Join or Hybrid Join).


• Anchor tenant manages core security policies, baseline configurations, and compliance enforcement.

2. Cross-Tenant Identity Strategy

• Use Microsoft Entra Cross-Tenant Access Policies:




• Enable B2B collaboration and B2B direct connect.


• Establish trust between tenants with granular controls (default deny, allow-by-exception).




• Implement Cross-Tenant Synchronization for user lifecycle management.


• Leverage Lifecycle Workflows for automatic provisioning/deprovisioning.

3. Intune Management Model

• Centralized management via anchor tenant where possible.


• Maintain local Intune instances in acquired tenants when needed, applying consistent naming, tagging, and policy templates.


• Use policy-as-code via Graph API to standardize across tenants.

4. Automation & Orchestration

• Tools:
  
  
  
  • Microsoft Graph API
  
  
  • Azure Automation Runbooks
  
  
  • PowerShell Modules (Microsoft.Graph.Intune)
  
  
  • Power Platform / Logic Apps for cross-tenant coordination
  
  
  • Azure DevOps and GitHub Actions for CI/CD workflows
  
  
  • Microsoft365DSC
  
  
  
  


• Example Automation Tasks:
  
  
  
  • Export/import compliance or configuration profiles.
  
  
  • Monitor device compliance or update status.
  
  
  • Deploy baseline Defender policies programmatically.
  
  
  
  


• Highlighted Resources:
  
  
  
  • Microsoft365DSC is an Open-Source initiative led by Microsoft engineers and maintained by the community. The tool covers all major Microsoft 365 workloads such as Exchange Online, Teams, SharePoint, OneDrive, Security and Compliance, Power Platforms, Intune and Planner.
    
    
    
    • What is Microsoft365DSC? – Microsoft365DSC – Your Cloud Configuration
    
    
    
    
  
  
  
  

• 
  
  
  
  • Configuration as Code for Microsoft Intune (Microsoft Tech Community):
    A conceptual guide on using GitHub Actions, Graph API, and CI/CD pipelines to approach Intune MTO scenarios.
    
    
    
    • Configuration as Code for Microsoft Intune | Microsoft Community Hub
    
    
    
    
  
  
  
  

5. Delegated Access with Microsoft 365 Lighthouse

• Use Microsoft 365 Lighthouse to delegate Intune RBAC roles across tenants.


• Enables MSPs default policies to manage SMB tenants:




• Device compliance status


• Policy drift and remediations


• Security baseline deployment

6. Conditional Access Consistency

• Maintain CA policies per tenant with unified standards.


• Use Entra ID naming conventions to reflect M&A origin.


• Automate periodic reviews of CA configurations.

7. Reporting & Monitoring

• Aggregate data across tenants using:




• Graph API queries


• Azure Monitor


• Log Analytics Workspaces


• Third-party tools

Limitations Acknowledged:

High-level Steps:

• Define anchor tenant governance model.


• Prioritize tenant-to-tenant consolidation where feasible.


• Deploy Cross-Tenant Access Policies.


• Identify automation gaps for policy deployment.


• Assign Microsoft 365 Lighthouse roles to MSP central IT where appropriate.


• Establish reporting pipelines across tenants.


• Evaluate GitHub and Azure DevOps pipelines to implement policy-as-code workflows.

Bookmark: Windows 365 Cloud PC Healthcare Series (aka.ms/W365HealthcareBlog)

Thank you for stopping by; Juan Sifuentes | CETS | Healthcare.